Plugin check: Run node "${CLAUDE_PLUGIN_ROOT}/scripts/check-version.js" — if it outputs a message, show it to the user before proceeding.

Scan Site

Run a security scan on a deployed Power Pages site, fetch the latest scan report, and surface findings in a plain-language summary. The scan runs server-side; duration depends on site size — small sites finish in minutes, large sites can take hours.

This skill scans the live deployed site, not local source code.

Initial request: $ARGUMENTS

Gotchas

• Website record id vs portal id. .powerpages-site/website.yml stores the website record id, not the portal id. Every script takes --portalId. Resolve once via website.js --websiteId during prerequisites.
• Never resolve by name. Site names can duplicate inside an environment; only the website record id is safe.
• null from the resolver means the site is not deployed, or the authenticated profile points at a different environment.
• Scans are long-running. Duration depends on site size — small sites finish in minutes, large sites can take hours. Poll in the background and increase --timeoutMinutes for large sites.
• Only one scan per site at a time. A start while a scan is running returns Z003 — start-deep-scan.js reports it as { "status": "already-running" } (exit 0).
• Rate limits may apply. The service may throttle repeated scans on the same site. When throttled, wait and retry later.
• No completed scan yet. A fresh site or a site mid-scan has no completed report — get-latest-report.js returns { "status": "empty" }.